Jump to content

Hlipiyupadewiyo


Recommended Posts

Hello all, I have a strange malware that keeps coming back. Here is what it says currently in the registry:

Hlipiyupadewiyo rundll32.exe "C:\WINDOWS\ujoduvakadevi.dll",e

This is located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here is the ugly part. If I delete this entry, it comes back in a couple of minutes. If I run MalwareBytes, it finds it, deletes it and it will com back. If I log into safe mode and delete the dll file(currently named "ujoduvakadevi.dll, it will come back named something different. However, the main name always stays the same(Hlipiyupadewiyo)

I have tried Ad Aware, CCleaner, ComboFix, and of course MalwareBytes. Nothing seems to get rid of it permanently.

Below is the HiJackThis log.

Thanks for any help

~B

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:14:41 PM, on 4/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175990021875

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...570/mcfscan.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com,linksys.com,linksys.com,linksys.com

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Executive Software Undelete (UndeleteService) - Unknown owner - C:\Program Files\Executive Software\Undelete\UdServe.exe (file missing)

--

End of file - 13582 bytes

Link to post
Share on other sites

Here is the ComboFix log:

ComboFix 09-04-04.01 - Brian 2009-04-06 13:40:45.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.642 [GMT -7:00]

Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro

2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner

2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6

2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow

2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest

2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract

2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real

2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll

2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe

2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher

2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher

2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL

2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes

2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod

2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-01 03:29 --------- d-----w c:\program files\Java

2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4

2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity

2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0

2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU

2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer

2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple

2009-03-20 00:00 --------- d-----w c:\program files\Bonjour

2009-03-19 23:59 --------- d-----w c:\program files\QuickTime

2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks

2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution

2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools

2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc

2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN

2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater

2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia

2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU

2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU

2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack

2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution

2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter

2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder

2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence

2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio

2009-02-19 04:07 --------- d-----w c:\program files\ImTOO

.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat

+ 2009-04-06 20:05:44 64,774 ----a-w c:\windows\system32\perfc009.dat

- 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat

+ 2009-04-06 20:05:45 409,800 ----a-w c:\windows\system32\perfh009.dat

+ 2009-04-06 20:45:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1a0.dat

+ 2008-04-14 00:12:08 157,696 ----a-w c:\windows\ujoduvakadevi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Hlipiyupadewiyo"="c:\windows\ujoduvakadevi.dll" [2008-04-13 157696]

"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli cpstrl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192]

S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080]

S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]

S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024]

S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960]

S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064]

S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

LSP: bmnet.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 13:46:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1044)

c:\windows\cpstrl.dll

c:\windows\system32\bmnet.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\Crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe

c:\windows\system32\wbem\wmiadap.exe

.

**************************************************************************

.

Completion time: 2009-04-06 13:49:52 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-06 20:49:49

ComboFix2.txt 2009-04-06 19:29:40

Pre-Run: 7,063,465,984 bytes free

Post-Run: 7,069,171,712 bytes free

221 --- E O F --- 2009-03-20 10:02:17

Link to post
Share on other sites

  • Staff

Hi,

Next malwareBytes' Antimalware update (which will be released today or tomorrow) will automatically delete this infection as well. :)

But for now, we still have to use Cfscript.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\cpstrl.dll

c:\windows\ujoduvakadevi.dll

Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Hlipiyupadewiyo"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Thank you very much for taking the time to help me!

Here is the ComboFix log after I ran it with the CFScript.

ComboFix 09-04-04.01 - Brian 2009-04-06 14:22:39.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.583 [GMT -7:00]

Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\cpstrl.dll

c:\windows\ujoduvakadevi.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\cpstrl.dll

c:\windows\ujoduvakadevi.dll

.

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-06 13:14 . 2009-04-06 13:14 <DIR> d-------- c:\program files\Trend Micro

2009-04-06 12:06 . 2009-04-06 12:06 <DIR> d-------- c:\program files\CCleaner

2009-04-02 08:25 . 2009-04-02 11:06 <DIR> d-------- c:\documents and settings\Brian\.housecall6.6

2009-03-29 13:19 . 2009-03-29 13:19 <DIR> d-------- c:\program files\ffdshow

2009-03-29 13:19 . 2008-12-11 13:27 547 --a------ c:\windows\system32\ff_vfw.dll.manifest

2009-03-29 13:03 . 2009-03-29 13:51 <DIR> d-------- c:\documents and settings\Brian\Application Data\FLV Extract

2009-03-24 17:50 . 2009-03-24 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Real

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\xing shared

2009-03-20 23:48 . 2009-03-20 23:48 <DIR> d-------- c:\program files\Common Files\Real

2009-03-20 23:07 . 2009-03-27 21:52 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll

2009-03-20 23:07 . 2009-03-27 21:52 156,672 --a------ c:\windows\system32\rmc_fixasf.exe

2009-03-20 23:06 . 2009-03-20 23:06 <DIR> d-------- c:\windows\Replay Media Catcher

2009-03-20 23:06 . 2009-03-27 23:29 <DIR> d-------- c:\program files\Replay Media Catcher

2009-03-20 23:06 . 2009-03-27 21:52 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL

2009-03-19 17:01 . 2009-03-19 17:53 <DIR> d-------- c:\program files\iTunes

2009-03-19 17:01 . 2009-03-19 17:01 <DIR> d-------- c:\program files\iPod

2009-03-19 17:01 . 2009-03-19 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-19 16:55 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

2009-03-11 17:02 . 2009-03-11 16:51 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-03-11 16:51 . 2009-03-11 16:50 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-03-11 16:45 . 2009-03-11 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-02 15:25 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-01 03:29 --------- d-----w c:\program files\Java

2009-03-29 19:48 --------- d-----w c:\program files\Avidemux 2.4

2009-03-29 19:41 --------- d-----w c:\documents and settings\Brian\Application Data\Audacity

2009-03-28 01:50 --------- d-----w c:\documents and settings\Brian\Application Data\gtk-2.0

2009-03-27 18:12 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-26 23:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-26 23:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-03-25 23:32 --------- d-----w c:\documents and settings\Brian\Application Data\AVS4YOU

2009-03-20 00:53 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer

2009-03-20 00:01 --------- d-----w c:\program files\Common Files\Apple

2009-03-20 00:00 --------- d-----w c:\program files\Bonjour

2009-03-19 23:59 --------- d-----w c:\program files\QuickTime

2009-03-17 04:44 --------- d-----w c:\documents and settings\Brian\Application Data\Move Networks

2009-03-12 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution

2009-03-11 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-03-06 06:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys

2009-02-26 20:38 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-24 05:13 --------- d-----w c:\program files\Free Video Tools

2009-02-20 20:43 --------- d-----w c:\documents and settings\Brian\Application Data\vlc

2009-02-20 20:35 --------- d-----w c:\program files\VideoLAN

2009-02-19 23:25 --------- d-----w c:\program files\iTunes Library Updater

2009-02-19 18:53 --------- d-----w c:\program files\Common Files\AVSMedia

2009-02-19 18:53 --------- d-----w c:\program files\AVS4YOU

2009-02-19 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU

2009-02-19 18:19 --------- d-----w c:\program files\PixiePack Codec Pack

2009-02-19 18:16 --------- d-----w c:\program files\RapidSolution

2009-02-19 18:09 --------- d-----w c:\program files\Ultra QuickTime Converter

2009-02-19 18:03 --------- d-----w c:\program files\MediaCoder

2009-02-19 18:03 --------- d-----w c:\documents and settings\Brian\Application Data\Broad Intelligence

2009-02-19 04:08 --------- d-----w c:\documents and settings\Brian\Application Data\ImTOO Software Studio

2009-02-19 04:07 --------- d-----w c:\program files\ImTOO

.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_12.28.54.90 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-04-02 22:43:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-06 20:05:15 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-04-02 22:43:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 20:05:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-04-06 18:38:17 64,774 ----a-w c:\windows\system32\perfc009.dat

+ 2009-04-06 20:50:21 64,774 ----a-w c:\windows\system32\perfc009.dat

- 2009-04-06 18:38:17 409,800 ----a-w c:\windows\system32\perfh009.dat

+ 2009-04-06 20:50:21 409,800 ----a-w c:\windows\system32\perfh009.dat

+ 2009-04-06 21:26:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_374.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-08 344064]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-20 198160]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-03-14 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-04-20 25214]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-20 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 581693]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-04-07 184320]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [2007-09-21 131072]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-04-07 88192]

S2 UndeleteService;Executive Software Undelete;"c:\program files\Executive Software\Undelete\UdServe.exe" --> c:\program files\Executive Software\Undelete\UdServe.exe [?]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-10 109080]

S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [2007-09-25 15152]

S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-06-01 17024]

S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-06-01 120960]

S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-06-01 8064]

S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-06-01 36992]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-10-10 17920]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-10-10 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-10 42112]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 16:49]

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

LSP: bmnet.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\thl3pekb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 14:26:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1040)

c:\windows\system32\bmnet.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\Crypserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe

c:\windows\system32\wbem\wmiadap.exe

.

**************************************************************************

.

Completion time: 2009-04-06 14:30:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-06 21:30:10

ComboFix2.txt 2009-04-06 20:49:54

ComboFix3.txt 2009-04-06 19:29:40

Pre-Run: 7,050,506,240 bytes free

Post-Run: 7,033,880,576 bytes free

227 --- E O F --- 2009-03-20 10:02:17

Link to post
Share on other sites

  • Staff

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now. :)

Link to post
Share on other sites

Well, the file has not returned, so that is a good sign. Thank you again for helping me.

On a slightly different note, why would anybody be so bored that they create these things to screw with peoples computers? Do you think the perps should be tracked down and fined and/or imprisoned? I do.

~B

Link to post
Share on other sites

  • Staff

Hi,

On a slightly different note, why would anybody be so bored that they create these things to screw with peoples computers?
This is not about being bored though. There's a lot of money involved into this. Their goal isn't to screw up computers either, their goal is to earn as much money they can by infecting computers. In your case it was to display advertisements, redirect searches, so every click on the advertisement or redirected search is money for them.

Then there's other malware that just spies on you, collect your passwords (bank passwords, others), to sell them on the internet.

Then there's also malware that suddenly pops up and tell you that you are infected and automatically installs a scanner, or gives you a link to install a scanner. These scanners are fake. They scan your computer, display fake warnings and alerts and ask you to purchase the scanner in order to remove it.

That's the whole point about nowadays malware, not because they are bored and not because they want to screw up. It's all money that matters.

Ofcourse they should be imprisoned and many already are, but unfortunately, many are hard to track down either.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.